Apache Camel Infinispan Unsafe Deserialization Vulnerability Leading to Remote Code Execution
Vulnerability
A vulnerability exists in Apache Camel Infinispan due to unsafe deserialization in the ProtoStream remote aggregation repository. This flaw allows a remote attacker with low privileges to send specially crafted data, potentially leading to arbitrary code execution. Exploitation of this vulnerability could give the attacker full control over the affected system, severely impacting its confidentiality, integrity, and availability.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the affected system, with the executed code running in the same context as the application. This could lead to unauthorized access, modification of data, or disruption of service, depending on the nature of the executed code.
Reproduction
The vulnerability can be reproduced by using Apache Camel Infinispan versions 4.10.0 or later, along with Infinispan version 15.1.4. The issue arises when the ProtoStream remote aggregation repository is used, as the deserialization process does not properly validate incoming data, allowing for the execution of arbitrary code.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.